I suspect that something in your infrastructure is broken, but do not know exactly where to tell you to look other than the areas I mentioned above.
You state that only new clients are affected. Are you meaning only newly built computers in the AD domain? Or do older computers that have been migrated/moved to the AD domain also fail?
Have you reviewed the Token cache on an old and new computer? Is the new computers token cache populated?
Download KiXtart version 3.63 and run a test script that uses INGROUP. Does this version behave differently than your current version?
